[I_Am_Nous]

>debit card ending in 6969 purchased Ozempic at pharmacy >debit card ending in 6969 purchased $200 of food, 5% less than they did last month

They don't have to know anything about the specific person to correlate data they likely already have in their POS system.

[dymk]

HIPAA violation

[deadlydose]

No, I don't think it would be. The last four digits of a CC purchase at a pharmacy won't contain PHI. It will just say "pharmacy." But if you have some data to back that claim up, I'd love to read about it.

[kelipso]

They probably have records for each individual (not just last four digits of CC); I don't think it's hipaa violation as long as the records don't contain personally identifying information.